DOCUMENT:Q245695 25-FEB-2001 [iis] TITLE :Error Message: "Access is Denied" When Changing Password PRODUCT :Internet Information Server PROD/VER::4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server 4.0 ------------------------------------------------------------------------------- SYMPTOMS ======== When you use the password notification pages that install with the Windows NT Option Pack (NTOP), the following error message may be returned when you submit your password change: Internet Service Manager for Internet Information Server 4.0 Access is Denied Back to http:// CAUSE ===== This error occurs because the account that you wanted to change does not have permissions to change its own password on the domain controller. RESOLUTION ========== On the domain controller, follow these steps: 1. Open User Manager for Domains. 2. Select , and the select Account. 3. At the bottom of the Account Policy page, disable the User must log on in order to change password option. 4. Click OK to save changes. 5. Try changing the user's password again using the IIS Change Password Web application. MORE INFORMATION ================ In order to access the Password Notification application, the Web site must be using either Basic\Clear Text or NT Challenge Response. If the password expiration is within 14 days (default setting), then the user will be prompted to change their domain password using this Web application. In order to manually view this Web application, point your browser to the following: http:///iisadmpwd/anot3.htr When IIS attempts to change or reset the user's domain account password, the user account in which the Web application was accessed is not passed onto the domain controller for authentication. In other words, there is no impersonation taking place on behalf of the user account. Instead, when the user types in the account name, old password, and new password, an encrypted token is created containing all of this information, and that is sent to the domain controller for validation. If the user specified is either a domain controller administrator, or if the User must log on in order to change password is disabled, then the password can be successfully changed. If a domain user has successfully logged onto a computer in the domain, then they can use the operating system's change password utility to change the password even if User must log on in order to change password is selected. This is because the user has already "logged on to" the domain controller, which is different than accessing it through a Web browser. Additional query words: ism, PasswordChangeFlags, PasswordExpirePrenotifyDays ====================================================================== Keywords : Technology : kbiisSearch kbiis400 Version : :4.0 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.